Because the device itself is a key to the server DB. If you can duplicate the key, there's no difference between legit and illicit. Unless the RFID device is active. And then you have higher expense and complexity, increased size, and exploits will still be found. As we saw when the RFID credit cards came and went....

That isn't even to mention the privacy concerns.

In most cases, I've found that if something obvious isn't being done, it's probably because it's not that good of an idea. This particular concept is hardly new, and the technology has existed long enough that if it were potentially useful and profitable, it would be ubiquitous by now. Afterall, this is how lost pets are reunited with owners. If they're willing to shoot one into a rescued feral cat, it's cheap and easy enough that Visa could have been all over it by now.